1 00:00:00,330 --> 00:00:02,130 So first, let's clear the screen. 2 00:00:03,310 --> 00:00:08,800 As you may have heard me say before, there are many vulnerabilities in Métis portable three. 3 00:00:09,820 --> 00:00:12,550 I'll try to cover the majority of them. 4 00:00:14,100 --> 00:00:21,120 So this way you can go deeper into the machine when you want to, but I'll show you how to get their 5 00:00:21,930 --> 00:00:24,480 methodology will pretty much be the same. 6 00:00:25,320 --> 00:00:33,060 First, I'll look at the services to find vulnerabilities by searching on the Nessa's scan. 7 00:00:33,810 --> 00:00:35,810 Or you can always use a search engine. 8 00:00:36,690 --> 00:00:37,910 So let's get started. 9 00:00:40,470 --> 00:00:42,780 First, I need to list services. 10 00:00:44,090 --> 00:00:48,530 And assorted list will be better, that's sorted, not sorted. 11 00:00:49,730 --> 00:00:58,340 Services, oh, too, so this is going to list services due on the second column. 12 00:00:59,340 --> 00:01:04,410 And there are a lot of services here, so let's be more selective, shall we? 13 00:01:05,360 --> 00:01:12,200 So you remember that you've enumerated the assembly services before and I get to focus on this board 14 00:01:12,200 --> 00:01:13,580 for four or five. 15 00:01:14,990 --> 00:01:17,690 And let's hope Nessa's find something for these Borz. 16 00:01:19,370 --> 00:01:20,690 And yeah, you have. 17 00:01:21,990 --> 00:01:27,340 So you might remember, too, that this number that you have discovered, you got it. 18 00:01:27,390 --> 00:01:29,990 So there's an exploit for this as well. 19 00:01:31,300 --> 00:01:34,540 Searching with a severe number or with this number? 20 00:01:35,630 --> 00:01:36,170 And. 21 00:01:37,130 --> 00:01:39,020 Whichever you do, the result is the same. 22 00:01:40,160 --> 00:01:43,640 Right, so here are the modules related to that vulnerability. 23 00:01:44,570 --> 00:01:52,010 And actually, if you did read about or if you will read about this particular vulnerability, you will 24 00:01:52,010 --> 00:01:55,850 see that this is why the NSA even uses. 25 00:01:56,880 --> 00:02:01,410 National Security Agency, that is so I will use that exploit. 26 00:02:02,240 --> 00:02:02,780 Ms. 27 00:02:02,810 --> 00:02:07,700 One seven zero one zero eternal blup. 28 00:02:09,010 --> 00:02:10,270 Show me the options. 29 00:02:11,580 --> 00:02:22,230 And the target is the same man, exploitable three set our host to tend, tend to not tend and everything's 30 00:02:22,230 --> 00:02:24,540 set except for the payload. 31 00:02:25,800 --> 00:02:29,760 So show payloads to select a suitable payload. 32 00:02:30,880 --> 00:02:37,660 Now, because our target is 64 bit, you can choose 64 bit reverse temperature payload. 33 00:02:42,410 --> 00:02:46,580 So let's set our host to your colleague machine. 34 00:02:48,240 --> 00:02:52,980 And I'm going to set airport two four four, four, five. 35 00:02:54,690 --> 00:02:56,000 And let's see the options again. 36 00:02:57,040 --> 00:03:00,790 Nothing to change here, so let's exploit. 37 00:03:02,980 --> 00:03:06,570 And everything looks to be quite OK. 38 00:03:08,970 --> 00:03:11,340 And the interpreter shall open finally. 39 00:03:12,520 --> 00:03:14,770 The shell, you see has higher privileges. 40 00:03:15,900 --> 00:03:21,300 And on the other hand, I want you to be able to clarify this vulnerability. 41 00:03:22,520 --> 00:03:27,110 Sometimes when you try this exploit, you might confront a few problems. 42 00:03:28,070 --> 00:03:31,450 And sometimes if you want to exploit this vulnerability again. 43 00:03:32,440 --> 00:03:36,440 It doesn't get a shell or it can come up with other problems. 44 00:03:37,150 --> 00:03:39,580 So what to do in a situation like that? 45 00:03:40,450 --> 00:03:48,100 Sometimes you just got to shut down the machine and you can restore it from one of the snapshots. 46 00:03:48,110 --> 00:03:53,740 Remember, that's one of the things we addressed earlier when you're setting up instead of being so 47 00:03:53,740 --> 00:03:55,300 eager to just get in and do it.